CVE-2025-22059

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp: Fix multiple wraparounds of sk-&gt;sk_rmem_alloc.<br /> <br /> __udp_enqueue_schedule_skb() has the following condition:<br /> <br /> if (atomic_read(&amp;sk-&gt;sk_rmem_alloc) &gt; sk-&gt;sk_rcvbuf)<br /> goto drop;<br /> <br /> sk-&gt;sk_rcvbuf is initialised by net.core.rmem_default and later can<br /> be configured by SO_RCVBUF, which is limited by net.core.rmem_max,<br /> or SO_RCVBUFFORCE.<br /> <br /> If we set INT_MAX to sk-&gt;sk_rcvbuf, the condition is always false<br /> as sk-&gt;sk_rmem_alloc is also signed int.<br /> <br /> Then, the size of the incoming skb is added to sk-&gt;sk_rmem_alloc<br /> unconditionally.<br /> <br /> This results in integer overflow (possibly multiple times) on<br /> sk-&gt;sk_rmem_alloc and allows a single socket to have skb up to<br /> net.core.udp_mem[1].<br /> <br /> For example, if we set a large value to udp_mem[1] and INT_MAX to<br /> sk-&gt;sk_rcvbuf and flood packets to the socket, we can see multiple<br /> overflows:<br /> <br /> # cat /proc/net/sockstat | grep UDP:<br /> UDP: inuse 3 mem 7956736 min(size + (unsigned int)sk-&gt;sk_rcvbuf, INT_MAX))<br /> goto uncharge_drop;<br /> <br /> but we do not want to add the expensive atomic_add_return() back just<br /> for the corner case.<br /> <br /> Casting rmem to unsigned int prevents multiple wraparounds, but we still<br /> allow a single wraparound.<br /> <br /> # cat /proc/net/sockstat | grep UDP:<br /> UDP: inuse 3 mem 524288 &gt; 12<br /> <br /> # ss -uam<br /> State Recv-Q ...<br /> UNCONN -2147482816 ... truesize<br /> only when rcvbuf is large enough to lower the overflow possibility.<br /> <br /> Note that we still have a small chance to see overflow if multiple skbs<br /> to the same socket are processed on different core at the same time and<br /> each size does not exceed the limit but the total size does.<br /> <br /> Note also that we must ignore skb-&gt;truesize for a small buffer as<br /> explained in commit 363dc73acacb ("udp: be less conservative with<br /> sock rmem accounting").